Skip to main content

CodeAstro Online Classroom CVE-2026-7741

| EUVDEUVD-2026-26927 LOW
SQL Injection (CWE-89)
2026-05-04 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
May 04, 2026 - 15:17 vuln.today
Public exploit code
Severity Changed
May 04, 2026 - 08:22 NVD
MEDIUM LOW
CVSS changed
May 04, 2026 - 08:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 04, 2026 - 08:15 vuln.today
EUVD ID Assigned
May 04, 2026 - 07:45 euvd
EUVD-2026-26927
Analysis Generated
May 04, 2026 - 07:45 vuln.today
CVE Published
May 04, 2026 - 06:45 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was detected in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/studentlogin. Performing a manipulation of the argument sid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

AnalysisAI

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in the /OnlineClassroom/studentlogin endpoint, enabling data exfiltration and modification with low complexity exploitation. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.3.

Technical ContextAI

The vulnerability exists in the student login functionality of CodeAstro Online Classroom, specifically in the /OnlineClassroom/studentlogin file where user-supplied input (sid parameter) is directly incorporated into SQL queries without proper parameterization or validation. This is a classic CWE-89 SQL injection flaw where an attacker can manipulate database queries to extract sensitive information, modify records, or potentially escalate privileges depending on database permissions and configuration. The attack vector is network-based, suggesting the login endpoint is accessible over HTTP/HTTPS without network-level restrictions.

RemediationAI

Apply a security patch from CodeAstro that implements parameterized queries (prepared statements) for the sid parameter in the /OnlineClassroom/studentlogin endpoint. Contact CodeAstro directly at https://codeastro.com/ for the latest patched version, as specific version numbers are not provided in available advisories. As an interim compensating control, restrict access to the /OnlineClassroom/studentlogin endpoint via Web Application Firewall (WAF) rules that validate sid format strictly (e.g., allow only alphanumeric characters matching expected student ID format) and block payloads containing SQL metacharacters (quotes, semicolons, comments). This reduces exploitability without patching but may block legitimate legitimate logins if student IDs contain special characters - coordinate with CodeAstro to confirm expected sid format before deployment. Additionally, enable SQL query logging and monitoring to detect active exploitation attempts.

Share

CVE-2026-7741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy